xref: /illumos-gate/usr/src/tools/smatch/src/check_zero_to_err_ptr.c (revision efe51d0c)

/*
 * Copyright (C) 2013 Oracle.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
 */

#include "smatch.h"
#include "smatch_extra.h"
#include "smatch_slist.h"

static int my_id;

static int is_comparison_call(struct expression *expr)
{
	expr = expr_get_parent_expr(expr);
	if (!expr || expr->type != EXPR_COMPARE)
		return 0;
	if (expr->op != SPECIAL_EQUAL && expr->op != SPECIAL_NOTEQUAL)
		return 0;
	return 1;
}

static int next_line_is_if(struct expression *expr)
{
	struct expression *next;

	if (!__next_stmt || __next_stmt->type != STMT_IF)
		return 0;

	next = strip_expr(__next_stmt->if_conditional);
	while (next->type == EXPR_PREOP && next->op == '!')
		next = strip_expr(next->unop);
	if (expr_equiv(expr, next))
		return 1;
	return 0;
}

static int next_line_checks_IS_ERR(struct expression *call, struct expression *arg)
{
	struct expression *next;
	struct expression *tmp;

	tmp = expr_get_parent_expr(call);
	if (tmp && tmp->type == EXPR_ASSIGNMENT) {
		if (next_line_checks_IS_ERR(NULL, tmp->left))
			return 1;
	}

	if (!__next_stmt || __next_stmt->type != STMT_IF)
		return 0;

	next = strip_expr(__next_stmt->if_conditional);
	while (next->type == EXPR_PREOP && next->op == '!')
		next = strip_expr(next->unop);
	if (!next || next->type != EXPR_CALL)
		return 0;
	if (next->fn->type != EXPR_SYMBOL || !next->fn->symbol ||
	    !next->fn->symbol->ident ||
	    (strcmp(next->fn->symbol->ident->name, "IS_ERR") != 0 &&
	     strcmp(next->fn->symbol->ident->name, "IS_ERR_OR_NULL") != 0))
		return 0;
	next = get_argument_from_call_expr(next->args, 0);
	return expr_equiv(next, arg);
}

static int is_non_zero_int(struct range_list *rl)
{
	struct data_range *tmp;
	int cnt = -1;

	FOR_EACH_PTR(rl, tmp) {
		cnt++;

		if (cnt == 0) {
			if (tmp->min.value == INT_MIN &&
			    tmp->max.value == -1)
				continue;
		} else if (cnt == 1) {
			if (tmp->min.value == 1 &&
			    tmp->max.value == INT_MAX)
				return 1;
		}
		return 0;
	} END_FOR_EACH_PTR(tmp);
	return 0;
}

static int is_valid_ptr(sval_t sval)
{
	if (sval.value == INT_MIN || sval.value == INT_MAX)
		return 0;

	if (sval_cmp(valid_ptr_min_sval, sval) <= 0 &&
	    sval_cmp(valid_ptr_max_sval, sval) >= 0) {
		return 1;
	}
	return 0;
}

static int has_distinct_zero(struct range_list *rl)
{
	struct data_range *tmp;

	FOR_EACH_PTR(rl, tmp) {
		if (tmp->min.value == 0 || tmp->max.value == 0)
			return 1;
	} END_FOR_EACH_PTR(tmp);
	return 0;
}

static void match_err_ptr(const char *fn, struct expression *expr, void *data)
{
	struct expression *arg_expr;
	struct sm_state *sm, *tmp;

	if (is_impossible_path())
		return;

	arg_expr = get_argument_from_call_expr(expr->args, 0);
	sm = get_sm_state_expr(SMATCH_EXTRA, arg_expr);
	if (!sm)
		return;

	if (is_comparison_call(expr))
		return;

	if (next_line_checks_IS_ERR(expr, arg_expr))
		return;
	if (strcmp(fn, "ERR_PTR") == 0 &&
	    next_line_is_if(arg_expr))
		return;

	FOR_EACH_PTR(sm->possible, tmp) {
		if (!estate_rl(tmp->state))
			continue;
		if (is_non_zero_int(estate_rl(tmp->state)))
			continue;
		if (has_distinct_zero(estate_rl(tmp->state))) {
			sm_warning("passing zero to '%s'", fn);
			return;
		}
		if (strcmp(fn, "PTR_ERR") != 0)
			continue;
		if (is_valid_ptr(estate_min(tmp->state)) &&
		    is_valid_ptr(estate_max(tmp->state))) {
			sm_warning("passing a valid pointer to '%s'", fn);
			return;
		}
	} END_FOR_EACH_PTR(tmp);
}

void check_zero_to_err_ptr(int id)
{
	if (option_project != PROJ_KERNEL)
		return;

	my_id = id;
	add_function_hook("ERR_PTR", &match_err_ptr, NULL);
	add_function_hook("ERR_CAST", &match_err_ptr, NULL);
	add_function_hook("PTR_ERR", &match_err_ptr, NULL);
}